ATADocs Incomplete list of Alerts

[Enter feedback here]

Greetings!

I have noticed that the list of alerts at this page is incomplete. A customer requested log details being sent to Sentinel or a SIEM to identify the correct alert names.

Will it be possible to add sample logs for the below (and perhaps more) missing alerts?

Suspected exploitation attempt on Windows Print Spooler service (external ID 2415)
Suspected NTLM relay attack (Exchange account) (external ID 2037)
Suspected rogue Kerberos certificate usage (external ID 2047)
Suspected SMB packet manipulation (CVE-2020-0796 exploitation) (external ID 2406)
Exchange Server Remote Code Execution (CVE-2021-26855) (external ID 2414)
Suspicious modification of a sAMNameAccount attribute (CVE-2021-42278 and CVE-2021-42287 exploitation) (external ID 2419)
Suspected Netlogon privilege elevation attempt (CVE-2020-1472 exploitation) (external ID 2411)
Suspected AS-REP Roasting attack (external ID 2412)
Suspected Golden Ticket usage (ticket anomaly using RBCD) (external ID 2040)
Suspicious edit of the Resource Based Constrained Delegation Attribute by a machine account (KrbRelayUp)
Suspicious Kerberos delegation attempt using BronzeBit method (CVE-2020-17049 exploitation) (external ID 2048)

Regards

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

ID: 4ff82a4d-1c0d-7d05-f383-78a5506dda02
Version Independent ID: 02bd7bc8-76ca-2511-93cb-f3f3de46337d
Content: SIEM log reference - Microsoft Defender for Identity
Content Source: ATPDocs/cef-format-sa.md
Service: microsoft-defender-for-identity
GitHub Login: @batamig
Microsoft Alias: bagol

Mar 25 '24 17:03 esatymn

@RonitLitinsky can you take a look at this item? Can we plan to update the docs for any of these?

Mar 25 '24 19:03 batamig

[heart] Esat Yaman reacted to your message:

From: Batami Gold @.> Sent: Monday, March 25, 2024 7:25:49 PM To: MicrosoftDocs/ATADocs @.> Cc: Esat Yaman @.>; Author @.> Subject: Re: [MicrosoftDocs/ATADocs] Incomplete list of Alerts (Issue #682)

@RonitLitinskyhttps://github.com/RonitLitinsky can you take a look at this item? Can we plan to update the docs for any of these?

— Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/ATADocs/issues/682#issuecomment-2018747803, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BDQDBDVI6XUVUKYHAUD6RRLY2BT23AVCNFSM6AAAAABFHOCUYWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMJYG42DOOBQGM. You are receiving this because you authored the thread.Message ID: @.***>

Mar 26 '24 08:03 esatymn